Google told developers for years that API keys were safe to embed in public code. Then Gemini changed that. When the Gemini API is enabled on a project, those same public keys can silently gain access to private Gemini data with no warning. Threat actors can access uploaded files, cached data, and rack up charges on users’ accounts. 

We found nearly 3,000 exposed keys in the wild, including on Google's own infrastructure, affecting users who were simply following official guidance.

In this webinar, we'll cover:

• How this privilege escalation works and why it's so easy to miss

• What attackers can do with a key scraped from your public webpage

• How to audit your GCP projects and fix your exposure today

• Where Google is headed with key management